Is there a way to configure how fast a session is torn down on the ASA when it sees a RST or FINs? Right now it tears the connection down immediately but I would like it to have a fast age of 1 second instead before expiring the session.
The issue is an inside client appliance is doing very abrupt close (SSL teardown followed by RST) for performance reasons, and the return packets from outside server (SSL teardown followed by FIN) are being denied by the ASA because the session was already terminated. This ends up in a lot of no connection deny logs and I'd like to keep the volume down.
The closest thing I can find is sysopt connection timewait, where it hangs on to the session for an additional 15 seconds. Not sure if that can be applied to a particular set of hosts though.
According to the command reference it doesnt really list any options to use this for only certain hosts. So it seems to be a global setting for all connections. (8.4 softwares Command reference but seems unchanged from 8.2 for example)
If it was possible I would imagine that it would have been among the options listed in the earlier reply which you can apply to only certain connections, for example with an ACL indentifying the source and destination hosts.
EDIT: I am not sure what using TCP State Bypass would do in this case. It might allow the packets through but I am not certain.
Here is one document related to TCP State Bypass (though totally different scenario)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :